a cosmological pedestrian

How to create a SuplRootCert for supl.google.com

Back to these bad GPS fixes for Android spread all over the net. This time I will describe how to find out which is the correct SSL root certificate you need and how to create it. So first we need know the root certificate the Google SUPL server has been signed. There are several ways but we use the easiest. Connect with the openssl binary to the SUPL server. This can be done by the following command:

$ openssl s_client -connect supl.google.com:7275

The output you will see will include the following relevant part at the beginning:

This means the server certificate of supl.google.com is signed by the “Thawte Premium Server CA” root certificate. So you need to go and find that. Each SSL certificate issuer has a site with all it root certificates available. You can find the root certificates for Thawte here:

UPDATE 2015: Google uses Root 2 – GeoTrust Global CA in the meantime. You can get it

Now download the “Root 2 Thawte Premium Server CA” certificate. You will get the certificate in the PEM format. The SuplRootCert file on Android is stored in the DER format so we need to convert it. This can be done with the following command:

Now you have the correct SuplRootCert you can put in /system/etc and use with the gps.conf. If you have a SuplRootCert and you want to find out which root certificate it is you can do it with the following command:

openssl x509 -inform DER -in SuplRootCert -text

REMEMBER: This works only on vendor ROMs which provide SUPL TLS support. I didn’t see any CyanogenMod ROM with TLS SUPL support yet!!!

Nobody ever claimed that security is easy. Only if you understand it you can make things secure. There are so many experts out in the forums who are the guru’s of creating gps fix packages but have no clue what they are doing and they supply wrong certificates. I think that is worse than having no security. They give you a false impression.